Submitters LOTUS:'an'LWE,based'PKE/KEM Le#Trieu#Phong,# ... · Table 6. LOTUS-PKE running times...
Transcript of Submitters LOTUS:'an'LWE,based'PKE/KEM Le#Trieu#Phong,# ... · Table 6. LOTUS-PKE running times...
LOTUS:'an'LWE,based'PKE/KEMSubmitters
Le#Trieu#Phong,#Takuya#Hayashi,#
Yoshinori#Aono,#Shiho#Moriai
National(Institute(of(Information(and(Communications(Technology,(Japan
LOTUSLearning'with'errOrs based'encryption'with'chosen'ciphertexT secUrity for'poSt quantum'era• PKE#and#KEM• IND=CCA2#security,#based#on#the#LWE#assumption.
• Parameter#sets#for#128=bit,#192=bit,#256=bit#securities.#
• Can#even#set#parameters#for#>256=bit#security.
• The,distinction,of,LOTUS:#among#encryption#schemes#based#on#the#LWE#assumption#(Regev 2005),#LOTUS#has#the#smallest,ciphertexts(1.1∼1.7#KB#+#size(symmetric#part)).
2
At'the'heart'of'LOTUS
• In#our#paper#at#INDOCRYPT 2013,#we#present#the#idea#of#combining:Lindner=Peikert 2011#+#Fujisaki=Okamoto#2013
• LOTUS#is#the#continuation#of#the#idea,#in#which#new#parameter#sets#are#introduced,#to#obtain:• Decryption#error#<#2#$%&.• 128=,#192=,#256=bit#securities#(hardness)#of#the#LWE#assumption.
3
Y.#Aono, X.#Boyen, L.#T.#Phong, L.#Wang:#Key=Private#Proxy#Re=encryption#under#LWE. INDOCRYPT 2013R.#Lindner, C.#Peikert:#Better#Key#Sizes#(and#Attacks)#for#LWE=Based#Encryption. CT=RSA 2011E.#Fujisaki, T.#Okamoto:#Secure#Integration#of#Asymmetric#and#Symmetric#Encryption#Schemes. J.#Cryptology##(2013)
For#using#the#LWE# For#CCA#security
Notations
', ), * LWE#parameters
+ An#integer#in#{128,#192,#256}
, A#random#matrix#in#-./×/
1 A#matrix#in#-./×2
4
LOTUS'key'generation'of'(,, 1, ', ), +, *)
5
, =
1 = 4 − ,6 ∈ -./×2
832
832
256
832
• ' = 832 :; LWE• ) = 8192 : modulus• + = 256 : AES;key;length• * = 3 : Gaussian#noise
LOTUS'encryption'of'R ∈ 0,1 ∗
6
AES=CTR#with#key#U(W)Lindner=Peikert2011#encryption#of#W with#randomness#Y W ∥ [\]^
LOTUS#encryption#of#arbitrary#messageR with#randomness#W
Lindner=Peikert2011#+#Fujisaki=Okamoto2013
[_ = `_, + `$ ∈ -./
[$ = `_1 + `b + W ⋅.$∈ -.2
LOTUS'decryption'of' [_, [$, [\]^• Compute#Wd = [_6 + [$ ∈ -.2
• Compute#We ∈ 0,1 2
• Integrity#check([_, [$) = f'[ghi
jgk ;We; Y(We ∥ [\]^)1. Return#fail#if#the#check#does#not#pass2. Return#R = 6mn o ([\]^) if#the#check#does#pass
7
Parameters
LWE’s,(', ), *) Others NIST’s,category
lotus-params128 (' = 576, ) = 8192, * = 3) + = q`rs`' = 128 AES=128,#SHA3=256
lotus-params192 (' = 704, ) = 8192, * = 3) + = q`rs`' = 192 AES=192,#SHA3=384
lotus-params256 (' = 832, ) = 8192, * = 3) + = q`rs`' = 256 AES=256#
8
Claim,1,(statistically,negligible,decryption,error):The#decryption#error#due#to#large#noise#in#LOTUS#is#less#than#2#$%&for#all#lotus-params{128,192,256}.#
Note:With#); = ;8192;and#*; = ;3,#the#same#claim#holds#for#all#' ≤ 1800.#Therefore,#there#is#a#lot#of#space#to#increase#the#LWE#security#parameter#'.
Parameters
9
Claim,2,(INDNCCA2,security):LOTUS#achieves#IND=CCA2#security#under#the#LWE(', ), *)#assumption#in#the#random#oracle#model.Note:This#is#thanks#to#the#IND=CPA#security#of#Lindner=Peikert2011#and#the#transformation#in#Fujisaki=Okamoto2013.
LWE’s,(', ), *) Others NIST’s,category
lotus-params128 (' = 576, ) = 8192, * = 3) + = q`rs`' = 128 AES=128,#SHA3=256
lotus-params192 (' = 704, ) = 8192, * = 3) + = q`rs`' = 192 AES=192,#SHA3=384
lotus-params256 (' = 832, ) = 8192, * = 3) + = q`rs`' = 256 AES=256#
Parameters
10
Claim,3,(LWE,practical,hardness):We#estimate#the#LWE(', ), *)#assumption#with#parameters#in#the#above#table#satisfy#the#corresponding#NIST’s#security#categories.Note:This#is#thanks#to#a#long#line#of#research#on#estimating#the#practical#hardness#of#LWE,#including#ours.
LWE’s,(', ), *) Others NIST’s,category
lotus-params128 (' = 576, ) = 8192, * = 3) + = q`rs`' = 128 AES=128,#SHA3=256
lotus-params192 (' = 704, ) = 8192, * = 3) + = q`rs`' = 192 AES=192,#SHA3=384
lotus-params256 (' = 832, ) = 8192, * = 3) + = q`rs`' = 256 AES=256#
LOTUS,PKE'sizes'and'a'comparison
11
4.3 Performance analysis of LOTUS-PKE and LOTUS-KEM
The performance analyses of LOTUS-PKE and LOTUS-KEM are given in Tables 4, 5, 6, 7.
Sizes. The key and ciphertext sizes in LOTUS are computed as follows in bits:
• size(pk) = size(P ) + size(A) where size(P ) = nl log2
(q) and size(A) = n2 log2
(q).• size(sk) = size(pk) + nl log
2
(7.54s).• size(CT ) = size(c
1
) + size(c2
) + size(csym) = (n+ l)⇥ log2
(q) + size(csym).
The constant 7.54 in estimating the size of sk is to ensure that its elements in absolute valuesare less than 7.54s approximately with probability 2�256.
Speed. We provide the three implementations for LOTUS-PKE and LOTUS-KEM: (1) ref-erence implementation, (2) optimized implementation, and (3) AVX2-based implementation.Timings reported in Tables 6 and 7 are from the reference implementation on a computerwith CPU Core i7-7700K (4.20 GHz). The timings are averaged over 212 times of executionsfor key generation and 217 times for encryption/encapsulation and decryption/decapsulation.The optimized and AVX2-based implementation (whose timings are not in the tables) are alittle faster than the reference implementation.
Table 4. LOTUS-PKE sizes.
Parameter set Public key size Secret key size Encapsulation sizelotus-params128 658.95 (KB) 700.42 (KB) 1.144 (KB) + size(csym)lotus-params192 1025.0 (KB) 1101.0 (KB) 1.456 (KB) + size(csym)lotus-params256 1471.0 (KB) 1590.8 (KB) 1.768 (KB) + size(csym)
Table 5. LOTUS-KEM sizes.
Parameter set Public key size Secret key size Encapsulation sizelotus-params128 658.95 (KB) 700.42 (KB) 1.144 (KB)lotus-params192 1025.0 (KB) 1101.0 (KB) 1.456 (KB)lotus-params256 1471.0 (KB) 1590.8 (KB) 1.768 (KB)
5 Expected Security Strength
We provide the evidence for the security strength of LOTUS-PKE and LOTUS-KEM.
5.1 Classical security strength
Theorem 3 The LOTUS-PKE scheme is IND-CCA2-secure under the LWE assumptionprovided that G,H are random oracles.
12
Basing#on#the#LWE#assumption
LOTUS'speed'(already'fast'enough)
12
Table 6. LOTUS-PKE running times (for 1 KB messages, reference implementation).
Parameter set KeyGen
ccapke Enc
ccapke Dec
ccapke
lotus-params128 6,385.842 usec 75.299 usec 91.091 usec26,820,400 clock 316,252 clock 382,582 clock
lotus-params192 11,109.302 usec 105.636 usec 139.862 usec46,658,849 clock 443,667 clock 587,417 clock
lotus-params256 17,197.583 usec 149.075 usec 210.126 usec72,229,496 clock 626,112 clock 882,523 clock
(usec denotes microsecond.)
Table 7. LOTUS-KEM running times (reference implementation).
Parameter set KeyGen
ccakem Enc
ccakem Dec
ccakem
lotus-params128 6387.009 usec 75.146 usec 90.165 usec26,825,276 clock 315,611 clock 378,690 clock
lotus-params192 10,975.066 usec 110.201 usec 142.581 usec46,095,015 clock 462,842 clock 598,836 clock
lotus-params256 17,106.305 usec 139.266 usec 206.540 usec71,846,095 clock 584,915 clock 867,464 clock
(usec denotes microsecond.)
Proof. We utilize the Fujisaki-Okamoto transformation in [19]. Indeed, the encryption in theLOTUS-PKE scheme can be viewed as follows:
Enc
ccapk (m; �) =
⇣Enc
cpapk
⇣�;H(� k csym)
⌘
| {z }(c
1
,c2
)
, SEG(�)(m)| {z }
csym
⌘(3)
which is exactly the transformation in [19]. To be complete, the encryption scheme withEnc
cpapk (·, ·) is one-way and (n + l) log
2
q-spread (see [19, Definition 5.2]) due to Theorem 1.Applying [19, Theorem 6.1], the above theorem follows. ut
Theorem 4 LOTUS-KEM scheme is IND-CCA2-secure under the LWE assumption pro-vided that G,H are random oracles.
The proof is similar to the proof of [19, Theorem 6.1].
Claim 2 (Security strength of LOTUS) Both LOTUS-PKE and LOTUS-KEM schemesachieve IND-CCA2 security with 256-bit security (resp., 192- and 128-bit security) withthe parameter set lotus-params256 (resp., lotus-params192 and lotus-params128). Theequivalence with NIST’s security category is also given in Table 2.
The evidence of Claim 2 directly comes from Claim 1, together with Theorem 3 and Theorem4.
13
LOTUSLearning'with'errOrs based'encryption'with'chosen'ciphertexT secUrity for'poSt quantum'era• PKE#and#KEM• IND=CCA2#security,#based#on#the#LWE#assumption.
• Parameter#sets#for#128=bit,#192=bit,#256=bit#securities.#
• Can#even#set#parameters#for#>256=bit#security.
• The,distinction,of,LOTUS:#among#encryption#schemes#based#on#the#LWE#assumption#(Regev 2005),#LOTUS#has#the#smallest,ciphertexts(1.1∼1.7#KB#+#size(symmetric#part)).
13